如何正确保护我的泡菜文件？

Question

I'm following this guide to secure the pickle files correctly but I'm not getting the same output. Granted I had to do some changes to run it the first time:

import hashlib
import hmac
import pickle


class Dummy:
    pass


obj = Dummy()
data = pickle.dumps(obj)
digest = hmac.new(b'unique-key-here', data, hashlib.blake2b).hexdigest()
with open('temp.txt', 'wb') as output:
    output.write(str(digest) + ' ' + data)

with open('temp.txt', 'r') as f:
    data = f.read()

digest, data = data.split(' ')
expected_digest = hmac.new(b'unique-key-here', data, hashlib.blake2b).hexdigest()

if not secrets.compare_digest(digest, expected_digest):
    print('Invalid signature')
    exit(1)

obj = pickle.loads(data)

When I run this I get the following stacktrace:

  File "test.py", line 21, in <module>
    expected_digest = hmac.new(b'unique-key-here', data, hashlib.blake2b).hexdigest()
  File "/usr/lib/python3.8/hmac.py", line 153, in new
    return HMAC(key, msg, digestmod)
  File "/usr/lib/python3.8/hmac.py", line 88, in __init__
    self.update(msg)
  File "/usr/lib/python3.8/hmac.py", line 96, in update
    self.inner.update(msg)
TypeError: Unicode-objects must be encoded before hashing

Answer 1

Your problem is data = f.read() . .read() returns a string and hmac.new() wants bytes . Change the problem line to data = f.read().encode('utf-8') OR read the file in binary mode ( 'b' flag).

References:

• 7.2. Reading and Writing Files
• open()
• hmac.new()
• .encode()

Answer 2

I ended up having to use the following methods for it to work:

pickle.loads(codecs.decode(pickle_data.encode(), 'base64'))
# and
codecs.encode(pickle.dumps(pickle_obj), "base64").decode()

Not sure why using .encode() and .decode() was still not working for me.